Skip to main content

Overview

NIST Special Publication 800-171 Revision 3 provides requirements for protecting Controlled Unclassified Information (CUI) when it resides in nonfederal systems and organizations. This framework is critical for government contractors and organizations that handle sensitive federal information. Nabla’s automated assessment analyzes your infrastructure-as-code to evaluate compliance against the 110+ security requirements in NIST 800-171 Rev 3.

Framework Details

  • Framework: NIST 800-171
  • Version: Revision 3
  • Control Count: 110+ requirements across 14 families
  • Output Format: OSCAL Assessment Results (JSON)
  • Primary Use Case: CUI protection, government contracting (DFARS compliance)

Assessed Control Families

3.1 Access Control

ControlTitleAssessment Method
3.1.1Limit system access to authorized usersDetects IAM users, roles, RBAC resources
3.1.2Limit access to types of transactionsEvaluates IAM policies and access controls
3.1.3Control CUI flowAnalyzes network segmentation and security groups
3.1.5Employ least privilegeIdentifies wildcard permissions in policies
3.1.12Monitor remote access sessionsDetects VPN gateways and remote access controls
3.1.13Cryptographic mechanisms for remote accessVerifies TLS/encryption for remote connections
3.1.14Route remote access via managed access control pointsChecks for VPN/bastion architectures
3.1.20External system connectionsIdentifies VPC peering, transit gateways

3.3 Audit and Accountability

ControlTitleAssessment Method
3.3.1Create and retain system audit logsDetects CloudTrail, CloudWatch, diagnostic settings
3.3.2Alert on audit logging process failureIdentifies CloudWatch alarms, monitoring alerts
3.3.4Review and update logged eventsVerifies configurable audit mechanisms

3.4 Configuration Management

ControlTitleAssessment Method
3.4.1Establish baseline configurationsInfrastructure-as-code represents versioned baselines
3.4.2Enforce security configuration settingsDetects version-controlled configuration
3.4.6Employ least functionalityIdentifies unnecessary exposed services/ports
3.4.7Restrict network accessEvaluates security groups and firewall rules

3.5 Identification and Authentication

ControlTitleAssessment Method
3.5.1Identify system usersDetects IAM users, Azure AD, identity platforms
3.5.2Authenticate users and devicesAnalyzes authentication mechanisms
3.5.3Use multifactor authenticationVerifies MFA requirements in Cognito, IAM policies
3.5.7Prevent reuse of identifiersValidates cloud IAM service enforcement
3.5.10Store and transmit credentials securelyDetects Secrets Manager, Key Vault, Secret Manager

3.11 Risk Assessment

ControlTitleAssessment Method
3.11.1Conduct risk assessmentsOrganizational process (not fully assessable via IaC)
3.11.2Scan for vulnerabilitiesDetects AWS Inspector, Security Center, vulnerability scanning

3.13 System and Communications Protection

ControlTitleAssessment Method
3.13.1Monitor and control communications at boundariesIdentifies security groups, NACLs, firewalls, WAF
3.13.5Implement subnetworks for public componentsVerifies subnet separation
3.13.8Cryptographic mechanisms for transmissionDetects HTTPS listeners, TLS configurations
3.13.10Cryptographic key establishment and managementAnalyzes KMS, Key Vault, key rotation
3.13.11Employ FIPS-validated cryptographyVerifies use of FIPS 140-2 validated services

3.14 System and Information Integrity

ControlTitleAssessment Method
3.14.1Identify and manage system flawsOrganizational process (patch management)
3.14.2Provide protection from malicious codeDetects GuardDuty and malware protection
3.14.3Monitor system security alertsIdentifies SNS topics, monitoring alerts
3.14.6Monitor organizational systemsDetects comprehensive logging and monitoring
3.14.7Identify unauthorized useAnalyzes GuardDuty, Security Hub, threat detection

Multi-Cloud Support

Expanding Beyond AWS: While our initial implementation focuses on AWS resources, we’re actively adding support for:
  • Azure: azurerm_* resources (Key Vault, RBAC, NSGs, Sentinel)
  • Google Cloud: google_* resources (Cloud KMS, IAM, VPC, Security Command Center)
  • Multi-Cloud: Unified compliance posture across hybrid environments
The NIST 800-171 assessor already includes detection for Azure and GCP resource types. Coverage will continue to expand based on customer needs.

Currently Supported Resource Types

AWS Resources
  • aws_iam_user, aws_iam_role, aws_iam_group, aws_iam_policy
  • aws_security_group, aws_network_acl, aws_vpc, aws_subnet
  • aws_cloudtrail, aws_cloudwatch_log_group, aws_cloudwatch_metric_alarm
  • aws_kms_key, aws_kms_alias
  • aws_s3_bucket (with encryption checks)
  • aws_db_instance, aws_rds_cluster (encryption at rest)
  • aws_vpn_gateway, aws_vpn_connection, aws_customer_gateway
  • aws_cognito_user_pool
  • aws_secretsmanager_secret, aws_ssm_parameter
  • aws_guardduty_detector, aws_inspector_assessment_template
  • aws_lb_listener, aws_alb_listener
Azure Resources (Coming Soon!)
  • azurerm_role_assignment, azurerm_role_definition
  • azurerm_network_security_group, azurerm_subnet, azurerm_firewall
  • azurerm_monitor_diagnostic_setting, azurerm_monitor_metric_alert
  • azurerm_key_vault, azurerm_key_vault_key, azurerm_key_vault_secret
  • azurerm_active_directory_user
  • azurerm_virtual_network_gateway, azurerm_virtual_network_peering
  • azurerm_security_center_subscription_pricing
  • azurerm_policy_definition, azurerm_policy_assignment

Assessment Workflow

OSCAL Output Structure

Results conform to OSCAL 1.0.4 Assessment Results format: 
{
  "assessment-results": {
    "uuid": "assessment-uuid",
    "metadata": {
      "title": "Nabla NIST 800-171 Assessment",
      "version": "1.0.0",
      "oscal-version": "1.0.4"
    },
    "results": [{
      "uuid": "result-uuid",
      "title": "NIST 800-171 IaC Assessment",
      "description": "Automated assessment results from Terraform statefile analysis",
      "start": "2025-10-05T12:00:00Z",
      "end": "2025-10-05T12:05:00Z",
      "local-definitions": {
        "components": [...],
        "inventory-items": [...]
      },
      "observations": [
        {
          "uuid": "obs-uuid",
          "title": "3.1.1 Evidence",
          "description": "Identity resource: aws_iam_user.admin",
          "methods": ["TEST"],
          "subjects": [{
            "subject-id": "component-uuid",
            "type": "component"
          }],
          "props": [
            { "name": "control-id", "value": "3.1.1" },
            { "name": "status", "value": "satisfied" },
            { "name": "automated", "value": "true" }
          ]
        }
      ],
      "findings": [
        {
          "uuid": "finding-uuid",
          "title": "3.1.5 Finding",
          "description": "Overly permissive wildcard (*) found in policy",
          "target": {
            "target-id": "3.1.5",
            "type": "control"
          },
          "related-observations": [
            { "observation-uuid": "obs-uuid" }
          ]
        }
      ],
      "reviewed-controls": {
        "control-selections": [{
          "include-controls": [
            { "control-id": "3.1.1" },
            { "control-id": "3.1.2" }
          ],
          "source": {
            "href": "https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/final"
          }
        }]
      }
    }]
  }
}

Example Assessment Request

curl --request POST \
  --url https://api.usenabla.com/v1/cmmc \
  --header 'Content-Type: application/json' \
  --header 'X-Customer-Key: <x-customer-key>' \
  --data '{
  "name": "<string>",
  "format": "oscal",
  "source_type": "terraform_state",
  "source_content": "<string>",
}'

Common Findings

High-Severity Issues

3.1.5 - Overly Permissive Policies 
Finding: "Overly permissive wildcard (*) found in AWS IAM Policy"
Remediation: Replace wildcards with specific resources and actions
3.5.3 - Missing MFA 
Finding: "No multifactor authentication found in infrastructure"
Remediation: Enable MFA requirements in Cognito user pools or IAM policies
3.13.11 - Non-FIPS Cryptography 
Finding: "No FIPS-validated cryptographic modules found"
Remediation: Use AWS KMS, Azure Key Vault, or GCP Cloud KMS

Medium-Severity Issues

3.3.1 - Insufficient Logging 
Finding: "No event logging mechanisms found"
Remediation: Enable CloudTrail, VPC Flow Logs, and application logging
3.13.8 - Unencrypted Transmission 
Finding: "No cryptographic mechanisms found for data in transit"
Remediation: Configure HTTPS/TLS on load balancers and API endpoints

DFARS Compliance

NIST 800-171 compliance is required for:
  • Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012
  • Organizations that process, store, or transmit Controlled Unclassified Information (CUI)
  • DoD contractors and subcontractors
This automated assessment helps demonstrate compliance with DFARS requirements, but should be supplemented with:
  • System Security Plans (SSP)
  • Plan of Action & Milestones (POA&M)
  • Certification from C3PAO (Cyber AB)

Limitations

Important Assessment Limitations:
  • IaC-Only: Only evaluates resources defined in infrastructure code
  • Runtime Gaps: Cannot assess operational security practices, user behavior, or physical security
  • Organizational Controls: Many 800-171 requirements involve policies, procedures, and training
  • Partial Coverage: Some controls (3.1.14, 3.11.1, 3.14.1) require organizational assessment
  • Cloud Provider Trust: Assumes FIPS validation claims by AWS/Azure/GCP are accurate

Best Practices

  1. Layered Assessment: Combine automated IaC scanning with manual policy review
  2. Continuous Monitoring: Run assessments on every infrastructure change
  3. Evidence Retention: Store OSCAL outputs for audit trail and POA&M tracking
  4. Gap Analysis: Use findings to prioritize remediation efforts
  5. Third-Party Validation: Consider C3PAO assessment for official certification

Scoring and POA&M

While Nabla provides automated control assessment, official NIST 800-171 scoring requires:
  • Basic (0-9 points per control)
  • Derived (additive scoring)
  • Plan of Action & Milestones for deficiencies
Use the assessment findings to populate your POA&M: 
{
  "control": "3.5.3",
  "finding": "No MFA enforcement",
  "risk_level": "High",
  "remediation_plan": "Implement MFA for all privileged accounts",
  "completion_date": "2025-12-31"
}

References